CVE-2023-2816 - OpenCVE

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hashicorp	Consul

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:consul:::::-:::*
	cpe:2.3:a:hashicorp:consul:::::enterprise:::*

No data.

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525

History

No history.

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-06-02T22:43:34.553Z

Updated: 2024-08-02T06:33:05.672Z

Reserved: 2023-05-19T18:11:06.618Z

Link: CVE-2023-2816

Vulnrichment

Updated: 2024-08-02T06:33:05.672Z

NVD

Status : Modified

Published: 2023-06-02T23:15:09.503

Modified: 2023-11-07T04:13:22.913

Link: CVE-2023-2816

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2816", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2023-05-19T18:11:06.618Z", "datePublished": "2023-06-02T22:43:34.553Z", "dateUpdated": "2024-08-02T06:33:05.672Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-07-22T23:12:45.320Z"}, "title": "Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-113", "descriptions": [{"lang": "en", "value": "CAPEC-113: Interface Manipulation"}]}], "affected": [{"vendor": "HashiCorp", "product": "Consul", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "repo": "https://github.com/hashicorp/consul", "versions": [{"status": "affected", "version": "1.15.0"}, {"status": "affected", "version": "1.15.1"}, {"status": "affected", "version": "1.15.2"}], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Consul Enterprise", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "versions": [{"status": "affected", "version": "1.15.0"}, {"status": "affected", "version": "1.15.1"}, {"status": "affected", "version": "1.15.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions."}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"}}], "source": {"discovery": "INTERNAL"}}, "adp": [{"affected": [{"vendor": "hashicorp", "product": "consul", "cpes": ["cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:-:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.15.0", "status": "affected", "lessThanOrEqual": "1.15.2", "versionType": "custom"}]}, {"vendor": "hashicorp", "product": "consul", "cpes": ["cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:enterprise:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.15.0", "status": "affected", "lessThanOrEqual": "1.15.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T17:13:32.336641Z", "id": "CVE-2023-2816", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T17:14:02.762Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:33:05.672Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:33:05.672Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2816", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-22T17:13:32.336641Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:-:*:*:*"], "vendor": "hashicorp", "product": "consul", "versions": [{"status": "affected", "version": "1.15.0", "versionType": "custom", "lessThanOrEqual": "1.15.2"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:enterprise:*:*:*"], "vendor": "hashicorp", "product": "consul", "versions": [{"status": "affected", "version": "1.15.0", "versionType": "custom", "lessThanOrEqual": "1.15.2"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T14:48:42.522Z"}}], "cna": {"title": "Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-113", "descriptions": [{"lang": "en", "value": "CAPEC-113: Interface Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "product": "Consul", "versions": [{"status": "affected", "version": "1.15.0"}, {"status": "affected", "version": "1.15.1"}, {"status": "affected", "version": "1.15.2"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Consul Enterprise", "versions": [{"status": "affected", "version": "1.15.0"}, {"status": "affected", "version": "1.15.1"}, {"status": "affected", "version": "1.15.2"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"}], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.", "supportingMedia": [{"type": "text/html", "value": "To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-07-22T23:12:45.320Z"}}}, "cveMetadata": {"cveId": "CVE-2023-2816", "state": "PUBLISHED", "dateUpdated": "2024-08-02T06:33:05.672Z", "dateReserved": "2023-05-19T18:11:06.618Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2023-06-02T22:43:34.553Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "matchCriteriaId": "9D592391-F006-4F99-BF39-DAA3D2B86305", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "12E16E32-03E5-44B6-BAB5-8809E6E852F4", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies."}], "id": "CVE-2023-2816", "lastModified": "2023-11-07T04:13:22.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2023-06-02T23:15:09.503", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@hashicorp.com", "type": "Secondary"}]}